Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Passing variable to PHP query



9:18 pm on Sep 10, 2012 (gmt 0)

Hi all

Newbie here so please be gentle.

Im sure this question has been asked 1,000's of times but I am really struggling being new to PHP & mysql and using code copied from a book.

All I want to is pass a variable from a url to a mysql query:


id is the variable i want to pass to the SELECT command in caravan_details.php

I have the follwing in for_sale.php:

echo '<a class="caravan-moredetails" href="caravan_details.php?id=' .$row['id']. '">More information &raquo;</a>';

I want to pass id as an integer variable to caravan_details.php and im using the following SELECT query:

$id = $_GET['id']
$result = @mysql_query("SELECT * FROM caravans WHERE id='$id'");

I want to pass the variable direct from the URL, not using a form


Thank you :)


9:26 pm on Sep 10, 2012 (gmt 0)

I should add, i dont get an error message when the script runs, I just dont get any records returned


9:39 pm on Sep 10, 2012 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

What code does the for_sale.php generate (view source in a browser) - is the number in there ?
-> if not: that's where you need to look at. E.g. do you have a column "id" (or did you name something id in the select statement)?

If that works, did you try to call
caravan_details.php?id=1 (presuming there's such a record in your database)

For the rest: I'd be extremely careful with this type of code: you really need to do strong input validation. Just image somebody would call is with a parameter containing 1';drop table caravans;' -> yeah: bye bye table.

For the rest:
- use the mysqli interface (note the i), not the mysql one (it is obsolete).
- use prepared statements (much easier to secure).

Depending on context:
- htmlencode your output to prevent problems with quotes, and tags (or at least xmlencode the 5 allowed entities.
- urlencoding might be needed as well.

Unfortunately 99% of books and tutorials do not teach security along with it all, leaving you extremely vulnerable - remmebr that the examples you rely on are very insecure and need a lot of work to become secure.


2:35 pm on Sep 11, 2012 (gmt 0)

Thanks SAW66

At the moment, this is only running on my home PC and is a development site to help me get back into things so security, currently, is no real concern although thanks for the pointers and im sure they will come in handy soon!

With regards to the other bits, for_sale.php generates a basic list of all rows in table caravans and displays them on the page in id number order therefore the id field is already requested from the database when for_sale.php is loaded. It is then passed to caravan_details.php (a more detailed listing of whichever table row is selected) using the code in my first post.

Whilst the output is formatted almost correctly, no values appear in the fields as id is not being picked up from caravanid (or selected from the db correctly).

Hope that makes sense........?

Featured Threads

Hot Threads This Week

Hot Threads This Month